A key component of any breach response preparation effort is to make certain that all staff members are trained in who to contact within the organization about a security incident "even if they are not sure whether it's a breach," says Dawn Morgenstern, privacy official at the Walgreens U.S. drugstore chain.
Another essential step, she says in an interview (transcript below), is to document all necessary breach investigation and notification actions and responsibilities to avoid chaos when an incident occurs.

Morgenstern also:

Stresses that representatives from many departments should be included in breach notification. That includes privacy as well as security officers, corporate communications, the call center, finance and even the mailroom.

Points out that when a breach occurs, the organization should spell out in writing "who is responsible for what actions" in the specific breach response effort. "You have to make sure that all the key players know what their responsibilities are."

Stresses that in the wake of a breach, the organization should take necessary action to mitigate the risks involved "as soon as possible to prevent any further harm."

Morgenstern also explains why she hopes the final version of the HIPAA breach notification rule will retain the "harm standard" that's in the interim final version now in effect. That provision, which some consumer advocates oppose, states that organizations can conduct an assessment to determine whether an incident represents a significant risk of harm and thus should be reported to those affected as well as regulators. If all breaches must be reported, regardless of the risk involved, "consumers would be so overloaded with notices" that they would be largely ignored, she argues.

The interview took place at the American Conference Institute's Healthcare Information Privacy & Security Forum in Philadelphia, where Morgenstern was a panelist.

Morgenstern serves as Walgreens' privacy official as required by federal law for healthcare organizations under HIPAA and as financial privacy officer, and she was instrumental in the development of the comprehensive enterprisewide HIPAA privacy program. She holds a Certification in Healthcare Privacy Compliance (CHPC) through the Health Care Compliance Association.

Privacy Duties

HOWARD ANDERSON: For starters, tell us a bit about your role at Walgreens and the projects that you work on.

>DAWN MORGENSTERN: I am Walgreens' privacy official, and my functions are to run the day-to-day operations of our privacy office, which includes HIPAA privacy as well as, to some degree, customer financial privacy. ... We provide guidance to our field as well as our corporate entities. We handle all of the customer requests with regard to HIPAA privacy. We handle all of the complaints that are filed with our company for privacy as well, and we're involved in a number of different projects as business evolves and new technologies come in. Our role is to be in on that ground floor of the development of that project or that process, and then make sure that whatever they are doing as they move forward they are incorporating privacy into the structure so that when they get to the testing and piloting phases of some of the projects we're not holding anything up and they've built it into the system.

Incident Response

ANDERSON: I understand that Walgreens has developed a detailed incident response plan. Will you briefly go over some of the key components of that plan for detecting breaches and notifying those affected and handling breach resolution?

MORGENSTERN: Actually the incident response piece is part of our plan. We have a very detailed breach identification and notification plan. ... It starts out as a very comprehensive flow chart and it includes both the HIPAA privacy rule from the federal level as well as state security breach notification rules. So you follow the process of doing the intake, getting the facts around an incident, and making a determination at that point, number one, does it involve federal or state rules or both, and is this likely to be something that requires notification. So as part of the continuing analysis, then you would bring in the key players on the incident response teams, which would include obviously IT security, if they are not already aware of the incident, as well as our corporate communications or public relations departments, representation from the call centers, legal representation, and definitely including the business vice presidents or senior managers or directors in the [affected] area. We need to ensure that the business where the incident may have occurred is well aware of what has happened and what all has to occur. ...

Then, to some degree, you have to also bring in several individuals from the operations' perspective because if it involves communications out to the field internally or processes or procedures that have to be modified or changed. They are going to be instrumental in helping us push those changes out.

Then we would also include a representative from finance in the event that we would do credit monitoring or any of those kind of functions, and then, if it requires a large mailing [to those affected] we would involve our mailing department. ... So, again the incident response piece is actually just one piece of the detailed chart that we have developed from a flow process. Then we take that same flow and we incorporate that for purposes of documentation. We [create a document outlining] the steps so that if it's an incident affecting over 500 individuals and if OCR [the Department of Health and Human Services' Office for Civil Rights] were to ever come in and do an investigation on that, we have it spelled out more clearly for them so they can understand it as well.

Breach Response Tips

ANDERSON: So what advice would you give to other healthcare organizations on the essential steps they should be taking to plan for a breach response?

MORGENSTERN: Well I think the best advice ... is to make sure that your workforce is trained to know where to report an incident. ... So the most important message we try to get out is who to contact - even if they are not sure whether it is a breach - and to contact us immediately. We have many different types of businesses, so if people don't know how to notify, that can put a huge hindrance on our ability to mitigate risk.

The next thing I would recommend is make sure that you clearly document as you're going through your breach determination and if you've [activated] your incident response teams, make sure you document who is responsible for what actions and make sure it is clear to everyone what their actions are, because you can't do this by yourself. ... So you have to make sure that all the key players know what their responsibilities are in walking away from the table, and then included in all of that, because your investigation will go on for a period of time, is to mitigate as soon as possible. You want to prevent any further harm ...

When you have this process documented it helps you not panic because you already know what you have to do. So when it comes time where things are happening quickly, you've got that structure set up.

ANDERSON: So could you give us a few examples of some of the steps Walgreens is taking to prevent breaches?

Breach Prevention

MORGENSTERN: Well training is obviously a big step in preventing any kind of breach because I think people have to understand the basic definitions of what a breach is. ...

Also, we [the privacy team] have a very close working relationship with our IT security compliance team ... from a technology perspective. And while we're not the experts in that area, we have forged that relationship and we act in conjunction with each other so that ... we can help each other along the way. I don't always know all the technologies to secure data, so I rely on their information and guidance there. They rely on our information and guidance and experience when it comes to investigations as well, so it's kind of a trade off. That has been a big step for us in making sure that we are creating an environment where there is less risk as opposed to more risk.

In those areas where there may be a higher risk because of a new project ... a lot of times we can bring other players to the table. ... One of the biggest steps for us is forging those relationships. Because we can't, even with notification, do it by ourselves; we also can't ensure compliance and reduce risk by ourselves. I think it is a team effort all the way.

Encryption

ANDERSON: Can you give us just a brief overview of how you are using encryption?

MORGENSTERN: ...One of the things that we've done is the laptops all have encryption on them. We did that back years ago when it wasn't as prominent an issue. .... The other thing is as many entities are moving into the mobile application environment, we are ... looking at a lot of different [security] technologies ...like auto-wipe, where the system can be remote-wiped in the event of a loss of a device. ...

Collaboration is Critical

ANDERSON: So what is your advice to other organizations when it comes to breach prevention?

MORGENSTERN: My advice, and this is from my own experience, is that you have to have that collaboration. The biggest advice that I have is that in many cases our groups are small for the size of the organization so you constantly have to stay on top of a lot of things, and the only way that you can really do that is to stay involved and active with other parts of the organization. And even if you haven't heard from anyone in that area in a long time it is always good to reach out and keep that networking going so that when things come up, people think of you where they may not have thought of you before as far as notification and bringing you into the loop. ...

Breach Notification Rule

ANDERSON: Finally, do you expect to see any changes in the final version of the HIPAA breach notification rule? For example, what about the harm standard that enables organizations to determine whether an incident represents a significant enough risk of harm to merit reporting it? Might that be omitted or revised do you think?

MORGENSTERN: It's hard to say. I would hope that they would not remove the harm standard. In the standard notification requirement, we have certain things that we have to tell the individual about the incident. If suddenly we had to say every time any piece of information was impermissibly used or disclosed or accidentally disclosed ... if we had to notify every single person every single time something like that happened, I would think, as a consumer, I would be so overloaded with notices I would never know when something significant occurred.

So it would be my hope that they do leave that piece of it in, because I think that we have to be able to also have meaningful communication with our customers. If you are constantly hearing, "Oh here I got another letter from company ABC," I think after a period of time people would just ignore them and it becomes one of those things that we stick in our shredders every day when we get home from work. ... A lot of people say, "Well consumers should know about every single thing," but at some point, I think it becomes even burdensome on the consumer.